The scariest security stories of 2014 (so far)

(2 votes, average: 4.00 out of 5)You need to be a registered member to rate this post.

I’m still not used to typing “2014” in the date field yet, but I just looked up the other day and realized that this year is already half over. An assessment of the first two quarters shows that on the security front, there’s both good news and bad news. The good news is that software vendors are focusing more than ever on making their operating systems and applications more difficult to exploit, and are taking important steps to fix vulnerabilities in a timely fashion – most of the time.

The other bad news is that even when patches are issued quickly, there are still individuals and businesses that don’t get around to applying them, thus leaving more systems open to attack. And software flaws aren’t the only means by which attackers can infiltrate systems and networks.

When it comes to security breaches this year, statistics from the Identity Theft Resource Center for January 1 through July 8 also reveal both positives and negatives. The total number of breaches reported for all categories (banking/credit/financial, general business, educational, government/military, and medical/healthcare is 395 as of the beginning of July, which over 20 percent more than half the number for the entire year of 2013 (614). As with last year, the category with the greatest number of breaches was medical/healthcare, reporting 181 of the breaches.

Let’s look at some of the scariest takeaways from all of these reports.

“That’s where the money is”

We’ve all heard the old saw that’s attributed (falsely) to Willie Sutton, who supposedly answered the question “Why do you rob banks” with “That’s where the money is.” Well, that’s still where the money is, and the fact that so few reported breaches involved banks and other financial and credit institutions is good news. The scary thing is that one of the largest reported breaches in that category, with the most records exposed, is one with which many of us do business: American Express. That breach involved the exposure of 76,608 records pertaining to California customers.

Security breaches of credit card companies are scary because so many of us carry and depend on those cards for our everyday expenditures now. It’s not just those who can’t afford to pay upfront, either. Many businesses, such as car rental companies and hotels, frown on or refuse cash payments and thanks to rewards programs, many of us use credit cards to pay all of our bills and then pay off the credit card balance in full every month. Our credit card statements can provide a great deal of information about where we go, what we do and how we live, so the thought of hackers having access to all of that is frightening, indeed.

The new risk of charging it

Even if the credit card company itself is able to prevent a breach of its systems, card holders still aren’t safe from hackers. The merchants to whom you present your cards must also be diligent. Unfortunately, some of the big breaches this year have involved the exposure of credit card information at the merchant level. Whether you’re enjoying a restaurant meal, attempting to make yourself beautiful, or just buying groceries for your family, using your card can put you at risk.

These types of breaches are scary because thieves don’t have to steal your physical card; all they need is the data from the magnetic strip. They can use that to encode counterfeit cards that can then be used to make fraudulent purchases. Unless the merchant that got hacked notifies you, you’ll never know anything happened – until you get the bill for thousands of dollars’ worth of items you didn’t buy.

It’s Pay Time – for hackers

The Am Ex breach looks pretty small compared to a breach that occurred in April affecting more than 230,000 people in almost every state in the U.S., with most of the victims in Pennsylvania. Paytime, a payroll services company, informed its customers that hackers had infiltrated its system and stolen personal information that included both social security numbers and bank account numbers.

This one is particularly disturbing because with that information, criminals can steal a person’s identity and/or access the victim’s funds, and it’s a situation where the victims themselves have no control over whether or not to use the company’s services (as they would in choosing their personal banks or what merchants to buy from) since it’s the employer who makes that decision. Victims are attempting to put together a class action lawsuit against the company, alleging negligence.

This is scary at a personal level if you work for the federal government (or as in my case, have family members in the military or other government service). Employment records in both public and private sector contain a lot of private information about people – personal data that can be used for identity theft, medical information, personal history, etc. – but many federal employees who have secret or top secret security clearances will have even more detailed info in their personnel files.

Even if you have no ties to the government yourself, though, it’s more than a little scary that its databases can be breached. That’s particularly true in these troubled times with so many conflicts between nations going on all over the world. We Americans tend to think war can never come to our own shores, even after the devastation of 9/11, but it’s highly likely that future battles will be waged in large part in cyberspace – and if our country loses that one, anything can follow.

None of this year’s breaches have received the level of publicity the Target breach got, although millions of people have been affected by them. And perhaps that’s the scariest aspect of all this. Are we getting so used to wide-scale security breaches that we’ve become desensitized to the news of yet another one?

About the Author: Debra Littlejohn Shinder

Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam (Training, Authoring and Consulting) and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and CloudComputingAdmin.com as well as GFI’s Talk Tech to Me and Patch Central, and has published more than 1800 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past eleven years.